Wsetdll clearing process of QQ Virus

At first, I saw the information sent by a person:

Today, I posted an ebook on the Internet called yuan, which is well written and the author's name is also clever. It is the same as your QQ network name, also called waxdoll. That's not what you wrote, right? It's awesome. well written. Please download it! Click the address below to download the book: http://www.18hi.com/shu.exe

E-books in the EXE format are often packaged, so it is confusing. Then the trick is completed. Symptoms: Open the browser, automatically jump from about: blank to http://www.19ku.com/index.html, And the pop-up window that XP SP2 cannot intercept appears. The pop-up window address is http://www.sow.down.com/21.htm.

QQ will also send messages to others:

Hi, Mac. I haven't accessed the Internet these two days.
Today, an online friend sent me a QQ video. The QQ nickname of the person is the same as yours, also called Mac. Isn't it yours? Is the performance too explicit? Hope it's not you. You 'd better check it out! Click the address below to download http://www.18hi.com/321.exe

The task manager has a suspicious process "wsetdll.exe". "wsetdll.exe" = "% systemdrive %" is added to the registry [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run: \ WINDOWS \ SYSTEM \ wsetdll.exe "item. % Systemdrive %: \ WINDOWS \ SYSTEM \ contains the hidden System File wsetdll.exe.

Clear method:
1. Stop the process wsetdll
2. Search for notepad * And wsetdll * under % systemdrive % *, delete all system hidden files with a modification time of the infected date and a size of 18.5kb (only % systemdrive % \ WINDOWS \ SYSTEM \ wsetdll.exe is not enough ). My deleted files include:
% Systemdrive % \ windows \ notepad.exe
% Systemdrive % \ WINDOWS \ SYSTEM \ wsetdll.exe
% Systemdrive % \ WINDOWS \ SYSTEM \ notepad.exe
% Systemdrive % \ windows \ system32 \ notepad.exe
Two other files are % systemdrive % \ windows \ prefetch \ WSETDLL.EXE-243B2282. PF and % systemdrive % \ windows \ prefetch \ NOTEPAD.EXE-3A18C50F. PF ("prefetch" refers to pre-extraction, which enables Windows XP operating systems to fully check the startup process and all running Program So that the system can extract the next unusual data in advance, the advantage is to speed up the operation .)
3. Delete the "wsetdll.exe" project under [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
4. Restart
5. The TXT file is not associated with notepad.

OK!